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Abstract — Turbo coding Is a powerful class of forward error 
correcting codes, which can achieve performances close to the 
Shannon limit. The turbo principle can be applied to the 
problem of side-information source coding, and we investigate 
here its application to the reconciliation problem occuring in a 
continuous-variable quantum key distribution protocol. 

Index Terms — Distributed source coding, turbo principle, rec- 
, onciliation, quantum secret key distribution. 

I. Introduction 
•A. Side-Information Source Coding 

Given a source of two correlated random variables X and 
y, the minimal achievable rate of encoding of X is H{X\Y) 
when Y is given losslessly to the decoder. Surprisingly, 
this rate is also achievable when Y is known only to the 
decoder, not to the encoder [1]. In this setting, Y is called 
the side information and the encoding of X is known as side- 
information source coding. 

The construction of efficient side-information source coding 
schemes is a difficult problem [2]. Recently, turbo codes have 
shown to be good candidates for this coding appUcation [3]. 

B. The Turbo Principle 

Turbo coding was first introduced in 1993 by Berrou et 
al. [4]. Since then it has been intensively studied and has 
proved to approach the Shannon limit closer than any other 
known forward error correcting code. The efficiency of the 
turbo codes is due to the use of an iterative process at the 
decoder side and the presence of an interleaver at the encoder 
side, which adds randomness-like effect to the code. 

Our motivation for studying side-information coding in 
general, and turbo codes specifically, is described next. 

C. Quantum Key Distribution 

Quantum key distribution (QKD), also called quantum 
cryptography, allows two parties, Alice and Bob, to share a 
secret key that can be used for encrypting messages using a 
classical cipher, e.g., the one-time pad. The main interest of 
such a key distribution scheme is that any eavesdropping is, in 
principle, detectable as the laws of quantum mechanics imply 
that measuring a quantum state generally disturbs it. 
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To share a secret key, a few steps must be performed. 
First, quantum states are sent from Alice to Bob, or vice- 
versa, on the so-called quantum channel. This process gives the 
two parties correlated random variables, Xa and Xb- Then, 
using a classical public authenticated channel, Alice and Bob 
compare a sample of the transmitted data, from which they 
can determine an upper bound on the amount of information 
a possible eavesdropper may have acquired. Finally, they distill 
a common secret key K, which is conventionally a function 
ofXA- 

Secret key distillation [5] usually involves two steps. In 
the first step, called reconciliation, Alice and Bob exchange 
information over the public authenticated channel in such a 
way that Bob can recover Xa knowing Xb- The exchanged 
information is considered known to an eavesdropper The sec- 
ond step consists in applying a privacy amplification protocol 
[6] to wipe out the enemy's information on both quantum and 
classical transmissions, at the cost of a reduction in the key 
length. This reduction is roughly equal to the number of bits 
known to an eavesdropper [6]. 

It thus appears clearly that reconciliation should not give 
more information than necessary on Xa, otherwise resulting in 
a penalty in the key length. Hence, the interest of investigating 
the use of (efficient) turbo coding in this context. 

D. Problems with Interactive Reconciliation 

An additional motivation for using turbo codes in the scope 
of QKD lies in that reconciliation is traditionally performed 
using interactive protocols, such as Cascade [7]. While they 
are perfectly suited to discrete QKD protocols, such as BB84 
[8], they suffer from both practical and fundamental problems 
when used for continuous-variable QKD protocols [9]. For a 
given number of reconciliation bits transmitted from Alice to 
Bob, interactive protocols impose an additional penalty on the 
key length over one-way protocols, due to the information 
leaked from the reconciliation bits originating from Bob. 
Furthermore, the evaluation of this leaked information depends 
on the particular eavesdropping strategy, which rules out the 
use of this method when no assumption on the enemy's side 
may be made. More details are given in Sec. |llll 

Replacing interactive reconciliation protocols by efficient 
side-information coding is thus another strong motivation for 
studying this application of turbo coding. 

II. Turbo Coding with Side Information 

A. Turbo Encoder and Turbo Decoder 

A turbo encoder is a parallel concatenation of two, or more, 
constituent codes separated by one, or more, interleavers. The 



constituent codes are usually two identical recursive systematic 
convolutional codes. The input sequence to be encoded is 
divided into blocks of length N. Each block is encoded by the 
first encoder and interleaved before passing through the second 
encoder. In channel coding, the systematic output of the first 
encoder, along with the parity check bits of both encoders are 
transmitted through the channel. Such a scheme usually uses 
rate half constituent encoders, so the overall rate is one third. 
The rate can be increased by puncturing a fraction of the parity 
bits. 

The turbo decoder consists of two, or more, Soft-In Soft-Out 
(SISO) maximum likelihood decoders. Those decoders operate 
in parallel, passing extrinsic information to one another in an 
iterative way. The error rate is lowered after each iteration but 
the gain in bit error rate decreases as the number of iterations 
increases, so for complexity reasons the decoder typically 
performs between 6 and 20 iterations. 

Two families of decoding algorithms are commonly used 
in turbo decoding: Soft Output Viterbi Algorithms (SOVA) 
and Maximum A Posteriori (MAP) algorithms. The MAP 
algorithm [10] is more efficient but more complex than the 
SOVA. However, simplified versions of this algorithm such as 
MAX-Log-MAP and Log-MAP perform almost as well with 
a reduced complexity. 

B. Application to Side-Information Source Coding 

In the turbo coding principle, the systematic output of the 
first component encoder is sent through the channel together 
with the parity bits from the two encoders. Turbo coding can 
be used for side-information source coding if we consider the 
input bit sequence as the random variable X, the systematic 
output of the channel as the side information Y, and the parity 
bits from the two encoders as the information provided to 
recover X from Y. 

Thus, in practice, y is a noisy version of X that is known by 
the receiver, X is encoded with a turbo encoder by the emitter 
but only the parity bits are transmitted, and the receiver uses 
those parity bits and Y to recover X by turbo decoding. To 
achieve a transmission rate close to the Slepian-Wolf limit, an 
appropriate puncturing pattern must be used to transmit only 
a fraction of the produced parity bits. 

III. Reconciliation for Continuous-Variable QKD 

Gaussian-modulated QKD protocols using coherent states 
have shown to deliver higher secret bit rates than those based 
on single photons while using standard telecom optical com- 
ponents [9]. Since they produce continuous variables (i.e., Xa 
and Xb are correlated Gaussians), a reconciliation procedure 
adapted to this situation must be used. We here assume that 
the variable Xa is converted into bits, as described in [11] 
and implemented in [9]. 

Without going into the details, each instance of Xa is 
transformed into Tnbits, making m ^bits strings {5'i}j£{i „}, 
each called a slice, when a run of the QKD protocol produces 
I instances of Gaussian variables. These ml bits will serve as 
input to the privacy amplification protocol. On his side. Bob 
needs to determine Alice's bit values. For this, he calculates his 



best estimate of Si given the I values of Xb, thus producing 
the l-hit string Si for each i. (') Using a binary reconciliation 
protocol. Bob then recovers Si given his knowledge of Si. 

Even though we started from continuous variables, we thus 
reach a situation where Alice and Bob need to reconciliate the 
binary string Si, given that Bob knows the correlated binary 
string Si. The two strings are related by the error rate Ci, 
that is the probability that a bit of Si is not equal to the 
corresponding bit in Si. Overall, the reconciliation produces 
H{Si,,,m) uniform bits by disclosing X]i=i m /(^«) ^i*^^' ^^'-^ 
/(e) the number of bits needed to encode a Z-bit string given 
that the decoder knows a correlated string with bit error rate 
e. The net result is thus H{Si,,,m) - J2i=i...m /(^i)- 

A. Binary Reconciliation 

Let us discuss the different options for the binary reconcili- 
ation of a given slice with error rate e. Of course, it is always 
possible to encode 5* using / bits, so that /(e) < I. 

Using a interactive reconciliation protocol such as Cascade 
[7] implies that Alice and Bob exchange parities of various 
subsets of their strings. After running Cascade, Alice and Bob 
have disclosed RS and RS for some binary matrix R of size 
d X I. They thus have communicated the parities calculated 
over d identical subsets of bit positions. The matrix R and 
the number d of disclosed parities are not known beforehand 
but are the result of the interactive protocol, depending on the 
diverging parities encountered. For Cascade, d ~ l{l+£,)h{e), 
where h{e) = — e log e — (1 — e) log(l — e) and ^ is some small 
overhead factor ^ ^ 1. 

In the case of balanced bit strings (i.e., the probabilities of 
and 1 are the same), the parities RS give Eve d bits of 
information on S, but RS does not give any extra information 
since it is merely a noisy version of RS, or stated otherwise, 
S ^ RS ^ RS is a Markov chain. 

However, in the more general case where we need to take 
into account that Eve gathered in E some information on 
both S and S by eavesdropping on the quantum channel, 
S\E -^ RS\E -^ RS\E does not necessarily form a Markov 
chain. Instead, the actual number of bits disclosed during 
reconciliation, namely I{RS, RS; S\E), must be explicitly 
evaluated. This quantity is in general larger than d, therefore 
adding an extra cost due to interactivity. 

Furthermore, it is unfortunately impossible to evaluate this 
quantity without making an assumption on the eavesdropping 
strategy, since we need to explicitly express the variable E. 
In [9], this quantity was calculated for the most general 
assumption within the scope of that paper (i.e., assuming any 
individual Gaussian eavesdropping strategy). However, beyond 
this assumption, the calculation loses its validity. 

To remove any assumption, a possibility is to upper bound 
the number of disclosed bits as if both parties disclosed 
independent information, that is, I{RS,RS; S\E) < 2d k. 
21{1 + ^)h{e). This is unfortunately too expensive in practice, 

' Actually, the slices are corrected sequentially, for i = 1 . . . m, so that 
the estimation of Si can also depend on the knowledge acquired from the 
previous corrected slices Sj, j < i [11]. 



except when e is small, and causes the secret key rate to vanish 
if this worst-case measure is taken for all slices. 

Another option for reconciliation is of course to use side- 
information source coding, as we will do in Sec. IIVI This 
provides a non-interactive reconciliation protocol that has the 
advantages of being independent of the eavesdropping strategy 
and free of interactivity cost. 
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TABLE I 

Net secret key rate with modulation frequency of 800 kHz. 



IV. Application to an Efficient QKD Protocol 

A. Settings 

We used a turbo code as a binary reconciliation protocol in 
the continuous-variable QKD protocol described in [9]. 

The component encoders are two 16-state duo-binary recur- 
sive systematic convolutional encoders with generator poly- 
nomials (23, 35) [12]. The interleaver is a variation of the 
odd/even interleaver presented by Barbulescu [13]. Our inter- 
leaver separates the information bits into two groups; group 1 
contains bits whose corresponding parity bits have been sent 
and group 2 contains bits whose corresponding parity bits have 
been punctured. The two groups are interleaved separately in 
a pseudo-random manner. Then, the bits are rearranged so 
that when the second component encoder computes his parity 
bits, those corresponding to bits from group 1 are punctured 
in priority, and vice versa. This procedure prevents us from 
transmitting the two parity bits from one bit, while another bit 
has none of his parity bits transmitted. The puncturing pattern 
depends on the estimated error rate and is chosen to minimize 
the number of bits sent to Bob. 

The decoding algorithm is the Log-MAP algorithm, which is 
similar to the MAP algorithm but operates in the log-domain. 
We applied a scheme proposed by Fujii et al. [14], which 
consists of weighting the extrinsic information exchanged by 
the two decoders by a factor depending on whether or not 
the corresponding parity bit has been received for this bit. We 
performed 18 iterations with block size N — 10000. 

B. Results 

Each binary string Si was reconciliated using one of the 3 
following strategies, depending on the estimated error rate 6^: 

• if ei > 15%, the string was completely revealed, disclos- 
ing I bits of information, 

• if Ci < 0.8%, an interactive error correction protocol 
(Cascade) was preferred and the number of disclosed bits 
was counted independently for Alice and Bob, 

• otherwise, the turbo coding scheme described above was 
used. 

In Table U our results are compared with those of [9] 
based on the use of reverse reconciliation with estimate of 
the interactivity cost under assumptions. An example of the 
processing of each slice is given in Table Ql] For higher losses, 
the gain on the interactivity cost more than compensates for 
the higher number of parity bits revealed by a turbo code. 

V. Conclusion 

We have shown that decoupling reconciliation and eaves- 
dropping analysis in continuous-variable QKD protocols by 
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TABLE II 

Disclosed bits for each slice, corresponding to the 2nd row of Table]l\ 



using turbo codes allows close, if not better, results than by 
using Cascade and an evaluation of interactivity costs under 
assumptions. Furthermore, this opens the way to enhancing 
the secret key rate for lossy (long-distance) transmissions, for 
which the interactivity seems to play a critical role. 
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